Home / vulnerabilities VCE Vision(TM) Intelligent Operations Cryptographic / Cleartext Issues
Posted on 18 June 2015
Source : packetstormsecurity.org Link
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities
CVE Identifier: CVE-2015-4056, CVE-2015-4057
Severity Rating: CVSSv2 Base Score: See below for individual scores for each CVE
Affected products:
VCE Vision Intelligent Operations prior to 2.6.5
Summary:
VCE Vision(TM) software versions prior to 2.6.5 have been identified to contain security vulnerabilities that may potentially be leveraged by a malicious user to obtain sensitive information
Details:
Weak Cryptographic Scheme (CVE-2015-4056)
Weak cryptographic scheme in the VCE Vision(TM) System Library that can result in access to sensitive information by an authenticated administrative user
Exploitation requires that an attacker login as root to a VCE Vision System Library virtual machine where the potential exists for sensitive system credential information in several VCE Vision application configuration files to be accessed in an unauthorized manner.
CVSS v2 Base Score: 6.6 (AV:L/AC:M/Au:N/C:C/I:C/A:P)
Cleartext Transmission (CVE-2015-4057)
Cleartext transmission issue in the VCE Vision(TM) Plug-in for VMware vCenter for VCE Vision software that could be exploited by attackers to obtain password information
The VCE Vision admin user password is reflected in cleartext when the user loads the Settings screen of the VCE Vision Plug-in for VMware vCenter via a web browser.
CVSS v2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)
Resolution:
These vulnerabilities are fixed in VCE Vision software 2.6.5 and above. Customers should upgrade to VCE Vision software 2.6.5 at their earliest opportunity.
Link to remedies:
VCE Vision software version 2.6.5 can be located within the VCE(TM) Download Center by logging into http://support.vce.com > VCE Download Center > VCE Software and VCE Software Documentation for VCE Converged Infrastructure Systems>Respective Vblock VCE Software Addendum
You can find the VCE Vision software version 2.6.5 upgrade guide in the VCE Download Center by logging into http://support.vce.com > VCE Download Center > respective Vblock System model >VBXXX VCE Software Documentation>VCE Vision Intelligent Operations Documentation for Vblock System XXX
If you have any questions, contact VCE(TM) Support.
Read and use the information in this VCE Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact VCE Technical Support.
VCE recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
VCE Company, LLC distributes VCE Security Advisories, in order to bring to the attention of users of the affected VCE products, important security information. VCE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. VCE disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall VCE or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if VCE or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
VCE Product Security Incident Response Team
vcepsirt () vce com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJVgO5aAAoJEFsFEWrxf5544rgQAM0RYTqP7KI8rfVGuArJXBwc
yEbEgv0Fc7rv8k1LWAIxRni1S+5mZtiIw+RXQUbsy7s3uh4ro1Wmp+XwbutTHQpb
Cp2Nd0REkVm24hpyEGlcGvhicnEsKj27gqNUkYi8h/mCK4pqEU3wfw4SbfKF4bpv
Nn85xwxDmC2TwJHJGGbRwPcx1pgAWO7sYHSpO0JAvKlf2Yrvw5FS2tzLEdJ/Te6K
nJ4of77v+7CvnmJ7peskvgOdnIEmLUT6nZwi0TcIT/htm5N29qIfdq8kafEwMSmU
jrpqWI6XEQtPm6F6jm/5CvT4rJm8Uaa9jcCA9t+XSF0116Ovkj3AiWNmegK21Cfa
VWTYn7a/eV1+BTItr+yXISa8oqQMhAM7E25ALxHvXYCeG1xzxUNFjeJ/zh80JN+G
UoZBPn4tUK6cVZuKcECW4blXirP73R8+H/xQFkKqRI5COgKgW0urJAW9WEgufyax
CjTR3eQjtfztmiQYmUXSp6EdK/cRi6tFWUTZFRvqvWJ+3+28TeNs8+nyWBFF+Jro
IWtFx+npyOnCP+jTsFHu4vaOuq6DOusu9kaf+WQk/R7O6BqosTCbL3Xnie8OeM8T
56Nq6NNtmXa2gVNceDcAfACD1kkzxviaZWBvMERMvUp+ELBGRxgwVkPiCKWMmoUW
mJBCpzsvzdVN8ZWKcWXE
=oRil
-----END PGP SIGNATURE-----